Styx Exploit Kit Takes Advantage of Vulnerabilities

Web-based malware has increased over the last few years due to an abrupt spike in new exploit kits. These kits target vulnerabilities in popular applications and provide an effective way for cybercriminals to distribute malware. We have already discussed Red Kit, a common exploit kit. Recently McAfee Labs has observed an increase in the prevalence of the Styx exploit kit.

The next graph shows the prevalence of this exploit kit in the wild.

Overview of an attack

Like other exploit kits, Styx covertly redirects users as they visit a legitimate website to a malicious landing page that hosts the exploit files targeting various vulnerabilities. The redirector link may arrive via email as part of a spam campaign.

The landing page has an iframe that contains a malicious link with obfuscated code.

Malicious iframe

The JavaScript used on the landing page references the iframe using a unique ID, deobfuscates the malicious code, and loads the following malicious web pages hosted on the compromised server.

Jorg.html

Jlnp.html

Pdfx.html

Malicious JavaScript

The page jorg.html downloads a JAR file that targets the vulnerability CVE-2013-0422.

Jlnp.html uses the Java Network Launch Protocol, which allows the user to download a malicious JAR file that targets the vulnerability CVE-2013-2423. The attackers bypass the Java security check by setting the parameter “__applet_ssv_validated” value to True.

Jlnp.html

Pdfx.html loads two web pages, fnts.html and jovf.html, which download an eot (web-based font file) and a JAR file. These files target the vulnerability “CVE-2011-3402” and CVE-2013-1493, respectively. Finally, pdfx.html downloads a PDF that targets the vulnerability CVE-2010-0188.

Payload

The final payload of this exploit kit is a downloader that delivers additional malware from the remote server. Depending upon the attacker, the payloads are custom made and delivered to the compromised machine.

URL Patterns

The Styx exploit kit uses different URL patterns for its landing pages.

hxxp://[domain name]/6YcinO0Sseq0fDBV0T3aT0lJAg0EkbA04FxQ0n5Ql06rpn/

hxxp:// [domain name]/txjtJC07tCh0umHs0NZTL0OYgb0zOvl0JZ2V06bOd0xKmb/

http:// [domain name]/8iVsog0IrKi09gpk0lpTv0DPpd0vjHb0UHWZ0Rq2P13ZsU/

hxxp:// [domain name]/VgsHRk0dg8z0eREo0a8IG0DW9f04Ovg08zLs0VzuY0EqiG/

hxxp:// [domain name]/YONmPa0VeqA14XYe13zsL081Lc09i7W0e4gM/

This exploit kit also uses unique URL patterns for downloading the exploit files.

hxxp://[domain name]/[Random characters and numbers]/jorg.html

hxxp://[domain name]/[Random characters and numbers]/jlnp.html

hxxp://[domain name]/[Random characters and numbers]/pdfx.html

hxxp://[domain name]/[Random characters and numbers]/fnts.html

hxxp://[domain name]/[Random characters and numbers]/jovf.html

How to prevent this attack

Blocking the URL patterns we have noted is one efficient way to prevent this attack. However, the landing page URL patterns are constantly changing. Nonetheless, the payload URL patterns have remained the same for all malicious domains we have seen.

In spite of the availability of patches for known vulnerabilities such as CVE2013-0422, CVE-2010-0188, etc., this exploit kit still targets these vulnerabilities. McAfee recommends that you install the latest patches for Java and Adobe Reader.